My reading of RFC 3280/5280 and from implementation experience with NSS, CryptoAPI, OpenSSL, and other implementations is that no, that is not correct.
CA:TRUE with a pathlen:0 is conformant to RFCs 3280/5280. The most common cause for this would be for a CA certifying an intermediate, but that intermediate should not be allowed to further mint new intermediates. The intermediate will be flagged with CA:TRUE, pathlen:0. CA:FALSE with a pathlen:anything is non-conformant. CA:TRUE with pathlen omitted indicates there are no constraints on the length of the path (pathlen: -1). basicConstraints MUST NOT be omitted for CA certificates (or more aptly, certificates which sign other certificates). It MUST be present and MUST be critical. basicConstraints MAY be omitted for "end-entity" certificates, and if present, it MAY be critical. The absence of basicConstraints is the same as CA:FALSE with no pathlen. Again, CA:TRUE, pathlen:0 = A CA certificate that can mint any number of certificates, but none of those certificates may be used to sign other certificates (aka: no certificate issued may be used as an intermediate) > -----Original Message----- > From: dev-tech-crypto-bounces+ryan- > mozdevtechcrypto=sleevi....@lists.mozilla.org [mailto:dev-tech-crypto- > bounces+ryan-mozdevtechcrypto=sleevi....@lists.mozilla.org] On Behalf > Of Ralph Holz (TUM) > Sent: Tuesday, September 20, 2011 1:51 PM > To: mozilla-dev-tech-cry...@lists.mozilla.org > Cc: mozilla's crypto code discussion list > Subject: Re: Question about pathlen extension checked > > Hi, > > Thanks for the replies, it's very much appreciated. It takes careful > reading of RFC 3280 if you don't want to miss the crucial distinction > between "intermediate certificate on the path" and "certificate on the > path" - thanks for the highlighting. > > My conclusion from all this is that the many certs with CA:TRUE and > pathlen:0 are not conformant, but not able to operate as CAs, either. > Right? > > Interesting that there are so many, tho. > > Thanks, > Ralph > -- > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto